Earlier this month, the Securities and Exchange Commission detailed how his official X account was compromised. In the regulator confirmed that he was the victim of a SIM swapping attack and that his X account was not protected by multi-factor authentication (MFA) at the time of login.
“The SEC has determined that an unauthorized party gained control of an SEC cell phone number associated with an account through a “SIM Swap” attack,” he said, referring to a common scam in which attackers convince customer service representatives to port phone numbers. new devices. “An unauthorized party reset the password for the @SECGov account after monitoring the phone number.”
His X account was hacked to falsely claim bitcoin ETFs had been approved, raising questions about the SEC’s security practices. Government-run social media accounts usually require the MFA to be active. The fact that someone as high-profile and potentially market-moving as @SECGiv wouldn’t use an extra layer of security has already raised questions. .
In its statement, the SEC said it asked X’s support staff to turn off the MFA last July after “issues” with account access. “Once access was restored, the MFA remained inactive until staff reactivated it after the account was hacked on January 9,” he said. “The MFA is currently active for all SEC social media accounts that offer it.”
While the absence of an MFA made it much easier for the SEC to seize the account, there are still many questions surrounding the exploit, including how the officials knew which phone was linked to account X, how the unnamed telecom operator fell for the scam, and, of course, who was behind it. who was standing The regulator said it was investigating those questions with the Justice Department, the FBI, Homeland Security and its own inspector general.